Recovered Lotus Notes nsf files can not be opened

Hi,

I am working in the field of Lotus Notes recovery & migration from past 11 years. From your query it seems that you are not able to open NSF files in your installed Lotus Notes Client.

I suggest you to try upgrading your Lotus Notes client, as NSF files created in upper version of Lotus Notes will not be opened in lower version of Lotus Notes client installed on your machine.

NSF files are typically large. This means the chance of being fragmented is also very high. Data carving will not recover fragmented files that work.

If the NSF files are for e-mails, these tend to grow with use, and hence increase the chance of being fragmented.

Success with carving in unallocated space does depend on how much the machine has been used since the files were deleted.

Can you scan the MFTs for entries that may have been deleted - NTFS may have then still have the data run info, and you can determine if the files have been overwritten, or partially overwritten.

NSF files are typically large. This means the chance of being fragmented is also very high. Data carving will not recover fragmented files that work.

If the NSF files are for e-mails, these tend to grow with use, and hence increase the chance of being fragmented.

Success with carving in unallocated space does depend on how much the machine has been used since the files were deleted.

Can you scan the MFTs for entries that may have been deleted - NTFS may have then still have the data run info, and you can determine if the files have been overwritten, or partially overwritten.

Thanks for your reply so do you think there is any chance to recover a fragmented nsf file?Or is it possible to just extract email messages from the fragmented nsf file?

The carving method used by Encase is poorly suited for recovering NSF files (at least in version 5 and 6).

> Data carving will not recover fragmented files that work.
Not entirely true. Some more advanced carving tools are able to deal with fragmentation, DFRWS 2006 and 2007 challenge, but I don't think much research has been done regarding NSF.

Last time I checked Encase provided a basic header-footer carver, so I opt to use a tool/carving config that is more suited for recovering NSF files.

Otherise you'll manually have to see what you can make of the data in the files, you can find some more info on the format here
https://code.google.com/p/libnsfdb/downloads/detail?name=Notes%20Storage%20Facility%20%28NSF%29%20database%20file%20format.pdf

Does the volume have Volume Shadow Snapshots? Have you checked those?

The carving method used by Encase is poorly suited for recovering NSF files (at least in version 5 and 6).

> Data carving will not recover fragmented files that work.
Not entirely true. Some more advanced carving tools are able to deal with fragmentation, DFRWS 2006 and 2007 challenge, but I don't think much research has been done regarding NSF.

Last time I checked Encase provided a basic header-footer carver, so I opt to use a tool/carving config that is more suited for recovering NSF files.

Otherise you'll manually have to see what you can make of the data in the files, you can find some more info on the format here
https://code.google.com/p/libnsfdb/downloads/detail?name=Notes%20Storage%20Facility%20%28NSF%29%20database%20file%20format.pdf

Does the volume have Volume Shadow Snapshots? Have you checked those?

Since the entire structure of carved out nsf file is not maintained,just few fragments,so is it possible to just extract individual email messages from the fragments of the nsf file?

Thanks for your reply so do you think there is any chance to recover a fragmented nsf file?Or is it possible to just extract email messages from the fragmented nsf file?

As a first stage I would look to see if there are any complete .NSF files on the disk, and see how fragmented they are. If they just have one or two fragments then manual repair 'just' be possible if you understand the file structure. If the files are in multiple fragments, forget it. To process fragmented files you need to understand the structure exceptionally well, and also be aware that similar files can lead to false positive matches - ie part of file 'a' with file 'b'.

My main attempt to solve your problem would be to see if the original MFT entry exists and still has it's data run info intact.

Finally I would run a keyword search to find sectors that contained e-mail info, eg phrases such as 'reply to' Look at some good e-mails to see what standard headers they contain. You may be able to do some type of data carving but I suspect e-mails will start anywhere in a sector, and not just on cluster boundaries - most carving tools expect files to start on sector or cluster boundaries

> Thanks for your reply so do you think there is any chance to recover a fragmented nsf file?Or is it possible to
> just extract email messages from the fragmented nsf file?

Really depends of various factors
* what are you after?
* how is the resulting information going to be used as indicative findings or evidence?
* how much data do you have?
* how much effort is it worth?
* what is the skill level of the person doing the recovery?

I agree with mscotgrove here that try the low hanging fruit first, e.g. is a string search sufficient to find the evidence you seek, e.g. icw. searching through compressed data (e.g. bulkextractor)? Is there a backup notes/domino has this nice feature that it replicates files on the server (in some cases), VSS? etc, etc.

>

Really depends of various factors
* what are you after?
* how is the resulting information going to be used as indicative findings or evidence?
* how much data do you have?
* how much effort is it worth?
* what is the skill level of the person doing the recovery?

I agree with mscotgrove here that try the low hanging fruit first, e.g. is a string search sufficient to find the evidence you seek, e.g. icw. searching through compressed data (e.g. bulkextractor)? Is there a backup notes/domino has this nice feature that it replicates files on the server (in some cases), VSS? etc, etc.

the resulting information is mainly used for indicative findings.It seems that the email content in the fragment nsf file is compressed,so directly utilizing string search can not find what i am looking for.It is all about a hard drive of 200GB size

I assume that the other proposed actions do not provide you with the info your looking for?

What about whipping up your own quick and dirty decompression for the NSF fragments?